<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<link rev="made" href="mailto:www@openbsd.org">
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<meta name="resource-type" content="document">
<meta name="description" content="OpenBSD cryptography">
<meta name="keywords" content="openbsd,cryptography,openssh,openssl,kerberos">
<meta name="keywords" content="ipsec,isakmp,ike,blowfish,des,rsa,dsa">
<meta name="distribution" content="global">
<meta name="copyright" content="This document copyright 1997-2006 by OpenBSD.">
<title>Cryptography in OpenBSD</title>
</head>

<body bgcolor="#ffffff" text="#000000" link="#23238e">
<img align="left" alt="[OpenBSD]" height="166" width="197" src="images/blowfish-notext.jpg">
<br>
<br>
<br>
"The mantra of any good security engineer is: "Security is not a
product, but a process." It's more than designing strong cryptography
into a system; it's designing the entire system such that all security
measures, including cryptography, work together."<br>
<br>
-- Bruce Schneier, author of "Applied Cryptography".
<br clear="all">
<h2><font color="#e00000">Cryptography</font></h2>
<hr>

<strong>Index</strong><br>
<a href="#why">Why do we ship cryptography?</a>.<br>
<a href="#ssh">OpenSSH</a>.<br>
<a href="#prng">Pseudo Random Number Generators</a> (PRNG): ARC4, ...<br>
<a href="#hash">Cryptographic Hash Functions</a>: MD5, SHA1, ...<br>
<a href="#trans">Cryptographic Transforms</a>: DES, Blowfish, ...<br>
<a href="#hardware">Cryptographic Hardware support</a><br>
<a href="#people">International Cryptographers wanted</a><br>
<a href="#papers">Further Reading</a><br>
<p>
<hr>

<a name="why"></a>
<h3><font color="#e00000">Why do we ship cryptography?</font></h3><p>

In three words:  <strong>because we can</strong>.<p>

The OpenBSD project is based in Canada.<p>

The <a href="ECL.html">Export Control List of Canada</a>
places no significant restriction on the export of
cryptographic software, and is even more explicit about the free
export of freely-available cryptographic software.  Marc Plumb has
done
<a href="http://www.efc.ca/pages/doc/crypto-export.html">
some research to test the cryptographic laws</a>.
<p>

Hence the OpenBSD project has embedded cryptography into numerous places
in the operating system.  We require that the cryptographic software we
use be <a href="policy.html">freely available and with good licenses</a>.
We do not directly use cryptography with nasty patents.
We also require that such software is from countries with useful export
licenses because we do not wish to break the laws of any country.
The cryptographic software components which we use currently were
written in Argentina, Australia, Canada, Germany, Greece, Norway, and
Sweden.
<p>

When we create OpenBSD releases or snapshots we build our release
binaries in free countries to assure that the sources and binaries we
provide to users are free of tainting.  In the past our release binary
builds have been done in Canada, Sweden, and Germany.<p>

OpenBSD ships with Kerberos V included.  The codebase we use is the
exportable Heimdal release from Sweden.  Our X11 source has been
extended to make use of Kerberos as well.<p>


<img align="right" src="images/vpnc-test-partner.gif" alt="VPNC TEST PARTNER">
OpenBSD was the first operating system to ship with an IPsec stack.
We've been including IPsec since the OpenBSD 2.1 release in 1997.
Our fully conformant in-kernel IPsec stack, with hardware acceleration
based on a number of cards, and our own free ISAKMP daemon, is used as
one of the machines in the IPsec conformance testbed run by
<a href="http://www.vpnc.org">VPNC</a>.
<br clear="all">
<p>

Today cryptography is an important means for enhancing the <a
href="security.html">security</a> of an operating system.  The
cryptography utilized in OpenBSD can be classified into various
aspects, described as follows.<p>

<a name="ssh"></a>
<h3><font color="#e00000">OpenSSH</font></h3><p>

As of the 2.6 release, OpenBSD contains
<a href="http://www.openssh.com/">OpenSSH</a>, an absolutely free and
patent unencumbered version of ssh.
<a href="http://www.openssh.com/">OpenSSH</a> interoperated with ssh
version 1 and had many added features,	
<ul>
<li>
all components of a restrictive nature (i.e., patents, see
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssl&amp;sektion=8">ssl(8)</a>)
had been directly removed from the source code; any licensed or
patented components used external libraries.
<li>
had been updated to support ssh protocol 1.5.
<li>
contained added support for Kerberos authentication and ticket passing.
<li>
supported one-time password authentication with
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=skey&amp;sektion=1">skey(1)</a>.
</ul>
<p>

Roughly said, we took a free license release of ssh, OpenBSD-ifyed it.
About a year later, we extended OpenSSH to also do SSH 2 protocol, the
result being support for all 3 major SSH protocols: 1.3, 1.5, 2.0.

<a name="prng"></a>
<h3><font color="#e00000">Pseudo Random Number Generators</font></h3><p>

A Pseudo Random Number Generator (PRNG) provides applications with a stream of
numbers which have certain important properties for system security:<p>

<ul>
<li>It should be impossible for an outsider to predict the output of the
	random number generator even with knowledge of previous output.
<li>The generated numbers should not have repeating patterns which means
	the PRNG should have a very long cycle length.
</ul>
<p>

A PRNG is normally just an algorithm where the same initial starting
values will yield the same sequence of outputs. On a multiuser
operating system there are many sources which allow seeding the PRNG
with random data. The OpenBSD kernel uses the mouse interrupt timing,
network data interrupt latency, inter-keypress timing and disk IO
information to fill an entropy pool.  Random numbers are available for
kernel routines and are exported via devices to userland programs.
So far random numbers are used in the following places:<p>

<ul>
<li>Dynamic sin_port allocation in bind(2).
<li>PIDs of processes.
<li>IP datagram IDs.
<li>RPC transaction IDs (XID).
<li>NFS RPC transaction IDs (XID).
<li>DNS Query-IDs.
<li>Inode generation numbers, see getfh(2) and fsirand(8).
<li>Timing perturbance in traceroute(8).
<li>Stronger temporary names for mktemp(3) and mkstemp(3)
<li>Randomness added to the TCP ISS value for protection against
	spoofing attacks.
<li>random padding in IPsec esp_old packets.
<li>To generate salts for the various password algorithms.
<li>For generating fake S/Key challenges.
<li>In <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=isakmpd&amp;sektion=8">isakmpd(8)</a>
	to provide liveness proof of key exchanges.
</ul>

<p>
<a name="hash"></a>
<h3><font color="#e00000">Cryptographic Hash Functions</font></h3><p>

A Hash Function compresses its input data to a string of
constant size. For a Cryptographic Hash Function it is infeasible to find:

<ul>
<li>two inputs which have the same output (collision resistant),
<li>a different input for a given input with the same output
	(2nd preimage resistant).
</ul>
<p>

In OpenBSD MD5, SHA1, and RIPEMD-160 are used as Cryptographic Hash Functions,
e.g:<p>
<ul>
<li>In <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=skey&amp;sektion=1">S/Key(1)</a>
    to provide one time passwords.
<li>In <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ipsec&amp;sektion=4">IPsec(4)</a>
    and
    <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=isakmpd&amp;sektion=8">isakmpd(8)</a>
    to authenticate the data origin of packets and to ensure packet integrity.
<li>For FreeBSD-style MD5 passwords (not enabled by default), see
    <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=passwd.conf&amp;sektion=5">
    passwd.conf(5)</a>
<li>In libssl for digital signing of messages.
</ul>
<p>

<p>
<a name="trans"></a>
<h3><font color="#e00000">Cryptographic Transforms</font></h3><p>

Cryptographic Transforms are used to encrypt and decrypt data. These
are normally used with an encryption key for data encryption and with
a decryption key for data decryption. The security of a Cryptographic
Transform should rely only on the keying material.<p>

OpenBSD provides transforms like DES, 3DES, Blowfish and Cast for the
kernel and userland programs, which are used in many places like:<p>
<ul>
<li>In libc for creating
    <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=blf_key&amp;sektion=3">Blowfish</a>
    passwords.  See also the <a href="papers/bcrypt-paper.ps">USENIX paper</a>
    on this topic.
<li>In
    <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ipsec&amp;sektion=4">IPsec(4)</a>
    to provide confidentiality for the network layer.
<li>In <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=isakmpd&amp;sektion=8">isakmpd(8)</a>
    to protect the exchanges where IPsec key material is negotiated.
<li>In AFS to protect the messages passing over the network, providing
    confidentiality of remote filesystem access.
<li>In libssl to let applications communicate over the de-facto standard
	cryptographically secure SSL protocol.
</ul>

<p>
<a name="hardware"></a>
<h3><font color="#e00000">Cryptographic Hardware Support</font></h3><p>

OpenBSD, starting with 2.7, has begun supporting some cryptography hardware
such as accelerators and random number generators.
<ul>
<li><b><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=crypto&amp;sektion=9">
    IPsec crypto dequeue</a></b><br>
    Our IPsec stack has been modified so that cryptographic functions get
    done out-of-line.  Most simple software IPsec stacks need to do
    cryptography when processing each packet.  This results in synchronous
    performance.  To use hardware properly and speedily one needs to separate
    these two components, as we have done.  Actually, doing this gains some
    performance even for the software case.
<p>
<li><b><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=hifn&amp;sektion=4">
    Hifn 7751</a></b><br>
    Cards using the Hifn 7751 can be used as a symmetric cryptographic
    accelerator, i.e., the
    <a href="http://www.soekris.com/vpn1201.htm">Soekris VPN1201 or VPN1211</a>
    (<a href="http://www.soekris.com/how_to_buy.htm">to buy</a>)
    or
    <a href="http://www.powercrypt.com">PowerCrypt</a>.
    Current performance using a single Hifn 7751 on each end of a tunnel
    is 64Mbit/sec for 3DES/SHA1 ESP, nearly a 600% improvement over
    using a P3/550 CPU.  Further improvements are under way to resolve a
    few more issues, but as of April 13, 2000 the code is considered
    stable.  We wrote our own driver for supporting this chip, rather
    than using the (USA-written)
    <a href="http://www.powercrypt.com">PowerCrypt</a> driver, as well
    our driver links in properly to the IPsec stack.
    The 7751 is now considered slow by industry standards and many vendors
    have faster chips (even Hifn now has a faster but more expensive
    chip).  Peak performance with 3DES SHA1 ESP is around 64Mbit/sec.
    <p>
    After 2.9 shipped, support was added for the Hifn 7951 chip, a
    simplified version of the 7751 which adds a public key accelerator
    (unsupported) and a random number generator (supported).  Cards
    were donated by <a href="http://www.soekris.com/">Soekris Engineering</a>.
    <p>
    After 3.0 shipped, support was added for the Hifn 7811 chip, a
    faster version of the 7751 (around 130Mbit/s) with a random number
    generator.  A card was donated by <a href="http://www.gtgi.com/">GTGI</a>.
    <p>
    After 3.2 shipped, support was added for the LZS compression algorithm
    used by <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ipcomp&amp;sektion=4">ipcomp(4)</a>.
    <p>
    After 3.4 shipped, support was added for the 7955 and 7956 chips.
    In addition to all the features of the previous 7951 chip, these add AES.
    <p>
    Hifn was initially a difficult company to deal with (threatening to sue
    us over our non-USA reverse engineering of their crypto unlock algorithm),
    but more recently they have been very helpful in providing boards and
    support.
    <p>

<li><b><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=lofn&amp;sektion=4">
    Hifn 6500</a></b><br>
    This device is an asymmetric crypto unit.  It has support for RSA, DSA,
    and DH algorithms, as well as other major big number functions.  It also
    contains a very high performance random number generator.  We have one
    device, full documentation, and sample code.  As of OpenBSD 3.1,
    both the random number generator and big number unit are working.
    <p>

<li><b><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=nofn&amp;sektion=4">
    Hifn 7814/7851/7854</a></b><br>
    This device is a packet processor and asymmetric crypto unit.  It has
    support for RSA, DSA, and DH algorithms, as well as other major big number
    functions and also has a random number generator.  Currently, only the
    big number engine and the random number generator are supported (no
    packet transforms).
    <p>

<li><b><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ubsec&amp;sektion=4">
    Broadcom BCM5801/BCM5802/BCM5805/BCM5820/BCM5821/BCM5822/5823
    (or beta chip Bluesteelnet 5501/5601)</a></b><br>
    Just after the OpenBSD 2.7 release, we succeeded at adding preliminary
    support for these early release parts provided to us by the vendor,
    specifically starting with the test chip 5501.
    These devices provide the highest performance symmetric cryptography
    we have seen.
    <p>
    Bluesteelnet was bought by Broadcom and started making real parts.
    Their new BCM5805 is similar, except that they also add an asymmetric
    engine for running DSA, RSA, and other such algorithms.  With approximate
    performance starting at more than four times as fast as the Hifn,
    hopefully this chip will become more common soon.
    <p>
    The Broadcom/Bluesteelnet people have been great to deal with.  They gave
    us complete documentation and sample code for their chips and a
    sufficient number of cards to test with.
    <p>
    Post 2.8, this driver was also modified to generate random numbers on
    the BCM5805 and similar versions, and feed that data into the kernel
    entropy pool.
    <p>
    Post 2.9, support was added for the BCM5820, which is mostly just a
    faster (64bit, higher clock speed) version of the BCM5805.  Untested
    support for the BCM5821 was also added post 3.0.
    <p>
    As of 3.1, the big num engine is supported, and RSA/DH/DSA operations
    can be accelerated.
    <p>
    Support for the BCM5801, BCM5802, BCM5821 and BCM5822 was added before
    OpenBSD 3.2 (the untested BCM5821 support in 3.1 was broken because of
    some undocumented interrupt handling requirements).
    <p>
    Partial support for BCM5823 was added for 3.4.  The chip supports AES,
    but the driver does not.
    <p>

<li><b><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ises&amp;sektion=4">
    Securealink PCC-ISES</a></b><br>
    The <a href="http://www.safenet-inc.com/technology/chips/safexcel_ises.asp">
    PCC-ISES</a> is a new chipset from the Netherlands.  We have received
    sample hardware and documentation, and work on a driver is in progress.
    At the moment, the driver is capable of feeding random numbers into
    the kernel entropy pool.
    <p>

<li><b><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=safe&amp;sektion=4">
    SafeNet SafeXcel 1141/1741</a></b><br>
    After 3.4 shipped, support was for added for these two chips (found on various
    <a href="http://www.safenet-inc.com/products/accCards/">SafeNet</a>
    crypto cards. Supports DES, Triple-DES, AES,  MD5, and SHA-1 symmetric crypto
    operations, RNG, public key operations, and full IPsec packet processing.
    <p>

<li><b>SafeNet SafeXcel 1840</b><br>
    We have received documentation and sample hardware for the
    <a href="http://www.safenet-inc.com/products/chips/safeXcel1840.asp">SafeNet 1840</a>
    crypto chip. Work to support at least the RNG and symmetric cryptography of
    these devices has started.
    <p>
    
<li><b>SafeNet SafeXcel 2141</b><br>
    We have received documentation and sample hardware for the
    <a href="http://www.safenet-inc.com/products/chips/safeXcel2141.asp">SafeNet 2141</a>
    crypto chip. Work to support at least the symmetric cryptography of
    these devices has started.
    <p>
   
<li><b><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=txp&amp;sektion=4">
    3com 3cr990</a></b><br>
    3com gave us a driver to support the ethernet component of this chipset,
    and based on that, we have written our own ethernet driver. This driver
    has now been integrated once we were able to get a free license on the
    microcode.  Due to poor documentation and lack of cooperation (partly
    because of the high turnover rates at 3Com), the IPsec functions of the
    chip are not supported.... so this turned out to be a less than completely
    useful exercise.
    <p>

<li><b>Intel IPsec card</b><br>
    Much like Intel does for all their networking division components, and
    completely unlike most other vendors, Intel steadfastly refuses to provide
    us with documentation.  We have talked to about five technical people who
    are involved in the development of those products.  They all want us to
    have documentation.  They commend us on what we have done.  But their hands
    are tied by management who does not perceive a benefit to themselves for
    providing documentation.  Forget about Intel.  (If you want to buy gigabit
    ethernet hardware, we recommend anything else... for the same reason:
    most drivers we have for Intel networking hardware were written without
    documentation).
    <p>

<li><b><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=pchb&amp;sektion=4">
    Intel 82802AB/82802AC Firmware Hub RNG</a></b><br>
    The 82802 FWH chip (found on i810, i820, i840, i850, and i860 motherboards)
    contains a random number generator (RNG).  High-performance IPsec
    requires more random number entropy.  As of April 10, 2000, we support
    the RNG.  We will add support for other RNGs found on crypto chips.
    <p>

<li><b>VIA C3 RNG</b><br>
    The newer VIA C3 CPU contains a random number generator as an instruction.
    As of <a href="33.html">3.3</a> this random number generator is used
    inside the kernel to feed the entropy pool.
    <p>

<li><b>VIA C3 AES instructions</b><br>
    VIA C3 CPUs with a step 8 or later Nehemiah core contains an AES
    implementation accessible via simple instructions. As of <a
    href="34.html">3.4</a> the kernel supports them to be used in an
    IPsec context and exported by <tt>/dev/crypto</tt>. As of <a
    href="35.html">3.5</a> performances have been greatly improved
    and OpenSSL now uses the new instruction directly when available
    without the need to enter the kernel, resulting in vastly
    improved speed (AES-128 measured at 780MByte/sec) for applications
    using OpenSSL to perform AES encryption.
    <p>

<li><b>OpenSSL</b><br>
    Years ago, we had a grand scheme to support crypto cards that can do
    RSA/DH/DSA automatically via OpenSSL calls.  As of OpenBSD 3.2, that
    support works, and any card that is supported with such functionality
    will automatically use the hardware, including OpenSSH and httpd in
    SSL mode.  No application changes are required.
</ul>

<p>
<b>If people wish to help with writing drivers,
<a href="#people">come and help us</a>.</b>

<p>
<a name="people"></a>
<h3><font color="#e00000">International Cryptographers Wanted</font></h3><p>

Of course, our project needs people to work on these systems.  If any
non-American cryptographer who meets the constraints listed earlier is
interested in helping out with embedded cryptography in OpenBSD,
please contact us.<p>

<p>
<a name="papers"></a>
<h3><font color="#e00000">Further Reading</font></h3><p>

A number of papers have been written by OpenBSD team members, about
cryptographic changes they have done in OpenBSD.  The postscript
versions of these documents are available as follows.<p>

<ul>
<li>A Future-Adaptable Password Scheme.<br>
    <a href="events.html#usenix99">Usenix 1999</a>,
    by <a href="mailto:provos@openbsd.org">Niels Provos</a>,
    <a href="mailto:dm@openbsd.org">David Mazieres</a>.<br>
    <a href="papers/bcrypt-paper.ps">paper</a> and
    <a href="papers/bcrypt-slides.ps">slides</a>.
<p>
<li>Cryptography in OpenBSD: An Overview.<br>
    <a href="events.html#usenix99">Usenix 1999</a>,
    by <a href="mailto:deraadt@openbsd.org">Theo de Raadt</a>,
    <a href="mailto:niklas@openbsd.org">Niklas Hallqvist</a>,
    <a href="mailto:art@openbsd.org">Artur Grabowski</a>,
    <a href="mailto:angelos@openbsd.org">Angelos D. Keromytis</a>,
    <a href="mailto:provos@openbsd.org">Niels Provos</a>.<br>
    <a href="papers/crypt-paper.ps">paper</a> and
    <a href="papers/crypt-slides.ps">slides</a>.
<p>
<li>Implementing Internet Key Exchange (IKE).<br>
    <a href="events.html#usenix2000">Usenix 2000</a>,
    by <a href="mailto:niklas@openbsd.org">Niklas Hallqvist</a> and
    <a href="mailto:angelos@openbsd.org">Angelos D. Keromytis</a>.<br>
    <a href="papers/ikepaper.ps">paper</a> and
    <a href="papers/ikeslides.ps">slides</a>.
<p>
<li>Encrypting Virtual Memory.<br>
    <a href="events.html#sec2000">Usenix Security 2000</a>,
    <a href="mailto:provos@openbsd.org">Niels Provos</a>.<br>
    <a href="papers/swapencrypt.ps">paper</a> and
    <a href="papers/swapencrypt-slides.ps">slides</a>.
<p>
<li>The Design of the OpenBSD Cryptographic Framework.<br>
    <a href="events.html#usenix2003">Usenix 2003</a>, by
    <a href="mailto:angelos@openbsd.org">Angelos D. Keromytis</a>,
    <a href="mailto:jason@openbsd.org">Jason L. Wright</a>, and
    <a href="mailto:deraadt@openbsd.org">Theo de Raadt</a>.<br>
    <a href="papers/ocf.pdf">paper</a>.
<p>
<li>Cryptography As an Operating System Service: A Case Study.<br>
    <a href="http://www.acm.org/tocs/">ACM Transactions on Computer Systems</a>,
    February 2006, by
    <a href="mailto:angelos@openbsd.org">Angelos D. Keromytis</a>,
    <a href="mailto:jason@openbsd.org">Jason L. Wright</a>, and
    <a href="mailto:deraadt@openbsd.org">Theo de Raadt</a>.<br>
    <a href="papers/crypt-service.pdf">paper</a>.
</ul>

<p>
<hr>
<a href="index.html"><img height="24" width="24" src="back.gif" border="0" alt="OpenBSD"></a>
<a href="mailto:www@openbsd.org">www@openbsd.org</a>
<br>
<small>$OpenBSD: crypto.html,v 1.133 2006/12/12 09:01:46 steven Exp $</small>

</body>
</html>
